Crypto Jackers Used Google’s DoubleClick To Distribute Mining Malware

Google’s DoubleClick was used to distribute cryptocurrency mining malware to a number of users in Asia and Europe, according to a new report by security firm Trend Micro.

Trend Micro researchers said that they detected an almost 285% increase in the number of Coinhive miners on January 24. They started seeing an increase in traffic to five malicious domains on January 18. After closely examining the network traffic, they discovered that the traffic came from DoubleClick advertisements.

Google’s DoubleClick ad services are also used by video sharing service YouTube. The miner reportedly impacted a number of users on the video sharing website.

According to TrendMicro, an analysis of the malvertisement-riddled pages revealed two different web miner scripts embedded and a script that displays the advertisement from DoubleClick. The affected webpage will show the legitimate advertisement while the two web miners covertly perform their task.

“We speculate that the attackers’ use of these advertisements on legitimate websites is a ploy to target a larger number of users, in comparison to only that of compromised devices,” the security firm said. “The traffic involving the two cryptocurrency miners has since decreased after January 24.”

Trend Micro explained that the advertisement has a JavaScript code that generates a random number between variables 1 and 101. When it generates a variable above 10, it will call out coinhive.min.js to mine 80% of the CPU power, which is what happens nine out of ten times. For the other 10%, a private web miner will be launched. The two web miners were configured with throttle 0.2, which means the miners will use 80% of the CPU’s resources for mining. The modified web miner will use a different mining pool to avoid Coinhive’s 30% commission fee.

In an interview with ArsTechnica, independent security researcher Troy Mursch said YouTube was likely targeted because users are typically on the site for an extended period of time.

“This is a prime target for cryptojacking malware, because the longer the users are mining for cryptocurrency the more money is made,” said Mursch.

Mursch added that a campaign that used the Showtime website to deliver cryptocurrency-mining ads is another example of attackers targeting a video site. In November 2017, a java script developed by Coinhive was found in the code on Showtime’s UFC Fight Pass streaming site.

Back in September, The Pirate Bay, the world’s most popular torrent site, was found to be secretly planting an in-browser cryptocurrency miner on its website that utilizes its visitors’ CPU processing power in order to mine cryptocurrencies.